Block LAN ports from each other?

I'm not sure if this is a routing question or a Tomato question, or both.

One of LAN ports on my Tomato will have a wifi hotspot plugged into it and I would like to block the hotspot from communicating with anything else on the internal network, and only allow it to go out through the WAN. How would I go about doing this? Is this a routing table config or access restriction?

Thanks for your help! Tomato is really amazing. I can't believe how far 3rd party firmware has come since I last tried openWRT a few years ago. Great work!